{ "id": "ea1a25f5-0ba0-4efc-9dc4-8f124e4260cb", "created_at": "2026-04-06T00:15:02.3582Z", "updated_at": "2026-04-10T03:35:37.712113Z", "deleted_at": null, "sha1_hash": "d689be056a1de5a06dc4be39c06fa883f6d6f29e", "title": "SaintBear, Lorec53 - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 61021, "plain_text": "SaintBear, Lorec53 - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 14:16:16 UTC\r\nHome \u003e List all groups \u003e SaintBear, Lorec53\r\n APT group: SaintBear, Lorec53\r\nNames\r\nSaintBear (ThreatBook)\r\nEmber Bear (CrowdStrike)\r\nTA471 (Proofpoint)\r\nUNC2589 (FireEye)\r\nLorec53 (NSFOCUS)\r\nUAC-0056 (CERT-UA)\r\nNodaria (Symantec)\r\nFROZENVISTA (Google)\r\nStorm-0587 (Microsoft)\r\nNascent Ursa (Palo Alto)\r\nG1003 (MITRE)\r\nCountry Russia\r\nMotivation Information theft and espionage\r\nFirst seen 2021\r\nDescription\r\n(NSFOCUS) In July 2021, several phishing documents created in Georgian were\r\ndiscovered by NSFOCUS Security Labs. In these phishing documents, the attackers\r\nused current political hotspots in Georgia to create bait and deliver a secret stealing\r\nTrojan to specifically targeted victims aiming to steal various documents from their\r\ncomputers. Correlation analysis shows that this phishing campaign and an earlier\r\nphishing attack against the Ukrainian government came from the same unknown\r\nthreat entity, most likely composed of Russian hackers. From April to July of 2021,\r\nthe group launched several phishing attacks applying a large number of network\r\nresources located in Russia. In order to facilitate ongoing tracking, NSFOCUS\r\nSecurity Labs has tentatively dubbed the hacker group Lorec53 by extracting special\r\nnames from related Trojans.\r\nObserved\r\nSectors: Energy, Financial, Government, Media, Transportation.\r\nCountries: Georgia, Ukraine, USA.\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef\r\nPage 1 of 2\n\nTools used Cobalt Strike, Graphiron, GraphSteel, GrimPlant, OutSteel, SaintBot.\nOperations performed\nFeb 2022\nSpear Phishing Attacks Target Organizations in Ukraine, Payloads\nInclude the Document Stealer OutSteel and the Downloader SaintBot\nMar 2022\nUkraine’s CERT Warns Threat Actors For Fake AV Updates\nMar 2022\nCobalt Strikes again: UAC-0056 continues to target Ukraine in its\nlatest campaign\nOct 2022\nGraphiron: New Russian Information Stealing Malware Deployed\nAgainst Ukraine\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef" ], "report_names": [ "showcard.cgi?u=8f37f59a-226c-4059-9222-c5ad769f31ef" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434502, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d689be056a1de5a06dc4be39c06fa883f6d6f29e.pdf", "text": "https://archive.orkl.eu/d689be056a1de5a06dc4be39c06fa883f6d6f29e.txt", "img": "https://archive.orkl.eu/d689be056a1de5a06dc4be39c06fa883f6d6f29e.jpg" } }